1. 50 Years of Growth, Innovation and Leadership
A Frost & Sullivan
White Paper
www.frost.com
Why Anti-DDoS Products and Services are Critical
for Today’s Business Environment
Protecting Against Modern DDoS Threats
2. Frost & Sullivan
CONTENTS
Executive Summary................................................................................................................ 3
Introduction............................................................................................................................. 4
What is DDoS?........................................................................................................................ 4
Volumetric Attacks................................................................................................................. 5
TCP State-Exhaustion Attacks............................................................................................. 6
Application-Layer Attacks.................................................................................................... 6
The Growing DDoS Problem................................................................................................. 7
Broader Spread of Attack Motivations andTargets............................................................ 8
Volunteer Botnets.................................................................................................................. 9
Increased Impact on Organizations..................................................................................... 9
ComplexThreats Need a Full-Spectrum Solution.............................................................. 9
Integrity and Confidentiality vs.Availability....................................................................... 9
Protect Your Business from the DDoSThreat...................................................................... 10
Cloud-Based DDoS Protection............................................................................................. 10
Perimeter-Based DDoS Protection...................................................................................... 10
Out-of-the-Box Protection................................................................................................... 10
Advanced DDoS Blocking..................................................................................................... 11
BotnetThreat Mitigation...................................................................................................... 11
Cloud Signaling...................................................................................................................... 11
The Final Word........................................................................................................................ 11
3. Why Anti-DDoS Products and Services are Critical for Today’s Business Environment
3Frost.com
EXECUTIVE SUMMARY
The perception of distributed denial of service (DDoS) attacks has changed dramatically in the
past 24 months.A series of successful, high-profile attacks against enterprises, institutions and
governments around the world has driven home the importance of availability and the need
for layered defenses.These attacks have also driven home how quickly the pace of innovation
has accelerated on the side of the hackers.
In today’s environment, any enterprise operating online—which means just about any type
and size of organization—can become a target because of who they are, what they sell, who
they partner with or for any other real or perceived affiliations. The widespread availability
of inexpensive attack tools enables anyone to carry out DDoS attacks. This has profound
implications for the threat landscape, risk profile, network architecture and security
deployments of Internet operators and Internet-connected enterprises.
The methods hackers use to carry out DDoS attacks have evolved from the traditional high-
bandwidth/volumetric attacks to more stealthy application-layer attacks, with a combination of
both being used in some cases.Whether used for the sole purpose of shutting down a network,
or as a means of distraction to obtain sensitive data, DDoS attacks continue to become more
complex and sophisticated.While some DDoS attacks have reached levels of 100Gbps, low-
bandwidth application-layer attacks have become more prominent as attackers exploit the
difficulties in detecting these“low-and-slow” attacks before they impact services.The methods
botnets use to carry out these attacks have also shifted. Botnets used to be made up of
compromised PCs,unwitting participants controlled by a botmaster.In the age of the hacktivist,
people are opting-in to botnets and even renting botnets for the purpose of launching attacks.
Network administrators are finding that traditional security products, such as Firewalls and
Intrusion Prevention Systems (IPS), are not designed for today’s complex DDoS threat.These
products focus on the integrity and confidentiality of a network. However, DDoS targets the
availability of the network and services it provides.
In today’s complex and rapidly changing threat landscape, enterprises need to take control
of their DDoS risk mitigation strategy by proactively architecting a layered defense strategy
that addresses availability threats.The issue of availability is taken into account as part of risk
planning for site selection, power failures and natural disasters. Given today’s threat landscape,
DDoS planning should now be part of any enterprise risk mitigation strategy.
Arbor Networks’ Pravail Availability Protection System (APS) is the first security product
focused on securing the network perimeter from threats against availability—specifically,
protection against application-layer DDoS attacks. Purpose-built for the enterprise, it delivers
out-of-the-box, proven DDoS attack identification and mitigation capabilities that can be
rapidly deployed with little configuration, even during an attack.
4. Frost & Sullivan
4 Frost.com
An added benefit for customers is Arbor’s unique visibility into DDoS botnets because of
its ATLAS infrastructure, which combines a darknet sensor network with traffic data from
more than 100 service provider customers around the world. The ATLAS Intelligence Feed
delivers DDoS signatures in real time to keep the enterprise data center edge protected
against hundreds of botnet-fueled DDoS attack toolsets and their variants.
Overall, the Arbor Pravail APS provides what other perimeter-based security devices cannot,
and that is the ability to detect and mitigate DDoS attacks proactively.
INTRODUCTION
Black Friday brings to mind the vision of hundreds of shoppers lined up at stores, ready to
pounce on deals and do business.A more recent holiday shopping addition—Cyber Monday—
brings to mind a different vision of a global audience armed with a computer andWeb browser,
clicking away at the best deals at their favorite online retailer.While these two visions may
seem very different, the need to enable customers to make purchases is critically important.
The concept of business continuity is not new. Organizations have worked on business
continuity planning for a long time. Unfortunately, in today’s always-on environment, the
challenge of business continuity is greater than ever before. Consider the ease with which
criminals can conduct a crippling attack on an organization.With attackers having the ability to
generate significant amounts of traffic from the botnets they control, and sophisticated attack
tools at their disposal, even an organization with a high-capacity Internet connection can have
its Internet services, and business, disrupted.
This paper will look at DDoS attacks in detail.It will illustrate the attack vectors being used and
describe why the threat to organizations is greater than ever before.This paper will then detail
why traditional firewall and IPS solutions fall short in protecting organizations against today’s
sophisticated DDoS attacks. Finally, this paper will present the Arbor solution—a complete,
purpose-built solution that Frost & Sullivan believes can provide protection against the wide
range of DDoS attacks that can target the corporate data center.
WHAT IS DDOS?
A DDoS attack is simply an attempt by an attacker to exhaust the resources available to a
network, application or service such that genuine users cannot gain access. It is an attack
formulated by a group of malware-infected or volunteered client computers that attempt
to overwhelm a given network, site or service with their combined actions. However, not all
DDoS attacks operate in the same way. DDoS attacks come in many different forms.These
forms include flood attacks, which rely on high volumes of traffic/sessions to overwhelm a
target, e.g.,TCP SYN, ICMP and UDP floods, and more sophisticated application-layer attack
vectors/tools, such as Slowloris, KillApache, etc.
5. Why Anti-DDoS Products and Services are Critical for Today’s Business Environment
5Frost.com
1
http://www.securelist.com/en/analysis/204792189/DDoS_attacks_in_Q2_2011
DDoS attacks can be classified as volumetric attacks, TCP State-Exhaustion attacks or
application-layer attacks. In Kapersky’s DDoS attacks in Q2 2011 report, HTTP flooding
was the most common DDoS vector, which is an example of an application-layer attack.1
The dominance of application-layer attacks illustrates the rapid evolution of DDoS away from
traditional volumetric attacks.
88%
5.4%
2.6%
1.7%
1.2%
0.2%
HTTP Flood
SYN Flood
UDP Flood
ICMP Flood
TCP Data Flood
DDoS on DNS
Attacked Vectors¹
Volumetric Attacks
Volumetric attacks flood a network with massive amounts of traffic that saturate and consume a
network’s bandwidth and infrastructure.Once the traffic exceeds the capabilities of a network,
or its connectivity to the rest of the Internet, the network becomes inaccessible, as shown in
Figure 1. Examples of volumetric attacks include ICMP, Fragment and UDP floods.
6. Frost & Sullivan
6 Frost.com
Regular
Traffic
Malicious
Traffic
Malicious
Traffic
Regular
Traffic
Regular
Traffic
Malicious
Traffic
Malicious
Traffic
Malicious
Traffic
ISP
1
ISP
2
ISP
3
Saturation
Router
Firewall
Target Applications
and Services
Volumetric Attacks
TCP State-Exhaustion Attacks
TCP State-Exhaustion attacks attempt to consume the connection state tables that are present
in many infrastructure components,such as load balancers,firewalls and the application servers
themselves.For instance,firewalls must analyze every packet to determine whether the packet
is a discrete connection, the continuation of an existing connection, or the completion of an
existing connection. Similarly, an intrusion prevention system must track state to carry out
signature-based detection of packets and stateful protocol analysis.These and other stateful
devices—including load balancers—are frequently compromised by large session flood or
connection attacks.
The Sockstress attack, for example, can quickly overwhelm a firewall’s state table by opening
sockets to fill the connection table.
Application-Layer Attacks
Application-layer attacks use far more sophisticated mechanisms to achieve the goals of the
hacker. Rather than flooding a network with traffic or sessions, application-layer attacks target
specific applications/services and slowly exhaust resources at the application layer.Application-
layer attacks can be very effective at low traffic rates, and the traffic involved in the attacks
7. Why Anti-DDoS Products and Services are Critical for Today’s Business Environment
7Frost.com
can be legitimate from a protocol perspective. This makes application-layer attacks harder
to detect than other DDoS attack types. HTTP Flood, DNS dictionary, Slowloris, etc., are
examples of application-layer attacks.
Malicious
Traffic
Regular
Traffic
Malicious
Traffic
Regular
Traffic
Malicious
Traffic
Malicious
Traffic
ISP
1
ISP
2
Low
Bandwidth
Requests
Made
Malicious
Requests
Bypass
Security
Applications
Router
Firewall
IPS
Target Applications
and Services
Application-Layer Attacks
Services
Slowly
Exhausted
THE GROWING DDoS PROBLEM
In recent years, DDoS attacks have become more sophisticated.The attack vectors hackers
are using within their attacks are more complex. Hackers now use a combination of
volumetric and application-layer DDoS attacks, as they know this increases their chances of
disrupting availability.
Volumetric attacks are also getting larger, with a larger base of either malware-infected
machines or volunteered hosts being used to launch these attacks.
As represented in Figure 4, in a survey conducted by Arbor Networks, the size of volumetric
DDoS attacks has steadily grown.2
However, in 2010, a 100 Gbps attack was reported.That is
more than double the size of the largest attack in 2009.This staggering figure illustrates the
resources hackers are capable of bringing to bear when attacking a network or service.
2
Arbor Networks — Worldwide Infrastructure Security Report,VolumeVI
8. Frost & Sullivan
8 Frost.com
0
10
20
30
40
50
60
70
80
90
100
100 Gbps
2005 2006 2007 2008 2009 2010
Bandwidth(Gbps)
DDoS Attacks by Gbps²
As organizations face these new challenges,network administrators have to look for a solution
with the sole purpose of deflecting and mitigating these new hacker tactics.
Broader Spread of Attack Motivations andTargets
The emergence of hacktivism has changed the view of DDoS in the security community. Once
primarily viewed as a method for reputational or financial gain, attack motivations have moved
on. While the attacks motivated by extortion,etc.,still exist,DDoS attacks are now being used
as a form of political activism (“hacktivism”) or to prove how unsecure networks are. Media
organizations, social networks, governments, etc., have been targeted heavily by these types of
DDoS attacks.
Two well-known hacker groups garnering attention are Anonymous and LulzSec.Anonymous
aims to attack organizations it believes are participating in injustices of discouraging Internet
freedom and freedom of speech.LulzSec,on the other hand,has built its reputation on exposing
security flaws in networks and websites.
While LulzSec aims to expose vulnerabilities in networks with no motivation other than
revealing the vulnerabilities, there have been other instances where the reasoning behind
attacks has been less clear.According to Kapersky’s DDoS Attacks in Q2 2011 report, social
networks are targeted because they allow the immediate exchange of information between
tens of thousands of users.In 2011,a Russian virtual community named LiveJournal experienced
a series of attacks.The botnet behind the attacks was named Optima.To this day, no one has
claimed responsibility for the attacks.
9. Why Anti-DDoS Products and Services are Critical for Today’s Business Environment
9Frost.com
Volunteer Botnets
Hacktivist groups have shown how easy it is to build a botnet of volunteered,rather than malware-
infected,machines.Hacktivist groups are known for their recruitment of members through social
media networks, and it appears than only minimal persuasion is required to recruit participants.
Regardless of computer hacking capabilities,anyone can be part of one of these movements.This
alarming trend poses serious problems for the industry,as highly skilled hackers and novice users
now have access to some of the same sophisticated DDoS attack tools.
Increased Impact on Organizations
The growing dependence of businesses on datacenter and cloud services has resulted in a
renewed focus on the security of these services. Once an afterthought, security in the cloud
has moved to the top of the priority list. Businesses should look at security capabilities as one
of the key factors they evaluate when deciding upon a provider of cloud or datacenter services,
as the business impacts of an attack can be significant.
The business cost to an organization of a DDoS attack is multi-faceted.We should consider
everything from the operational costs of dealing with the attack, to the potential long-term
revenue impact that might arise due to brand damage if an attack is successful.As an example,in
April of 2011, a cybercriminal was sentenced, in Germany, for attempting to blackmail German
bookmakers during the 2010 World Cup.While the ransom request was not significant, the
bookmakers estimated that within the few hours their site was down, they lost between
25,000-40,000 Euros for large offices and 5,000-6,000 Euros for smaller offices.The punishment
in Germany for computer sabotage is now up to 10 years in prison.
Another worrying development is the use of DDoS as a means of distraction.In the case of the
Sony breach, a DDoS attack was allegedly used as a distraction so that other criminal activity,
which resulted in the loss of passwords, usernames, and credit card information, could take
place.This potential threat further justifies the need for solutions that mitigate the latest DDoS
attacks and methods.
COMPLEXTHREATS NEED A FULL-SPECTRUM SOLUTION
Given the threat complexity and the business impact of DDoS, a full-spectrum solution is
required.A common response by many administrators to the challenges of DDoS is the belief
that their firewall and IPS infrastructure will protect them from attack. Unfortunately, this is
not true. Firewalls and IPS devices, while critical to network protection, are not adequate to
protect against all DDoS attacks.
Integrity and Confidentiality vs. Availability
Many administrators rely on firewalls and Intrusion Prevention Systems, which have extended
capabilities to deal with DDoS attacks. Firewalls and IPS devices focus on integrity and
confidentiality.These products are built for other security problems (enforcing network policy
and blocking intrusion attempts). These capabilities are not readily extensible to deal with
10. Frost & Sullivan
10 Frost.com
threats targeting network and service availability—the focus of DDoS attacks. Firewalls and IPS
devices cannot stop widely distributed attacks or attacks using sophisticated application-layer
attack vectors. In fact, it has been found that many DDoS attacks target firewall and IPS devices.
Firewalls and IPS can be targeted by DDoS attacks because they are stateful. Stateful devices
track every packet in a connection that comes through a network to look for malicious activity,
and have a set of built-in mechanisms to protect against known threats. Due to the state-
exhausting nature of many DDoS attacks, firewalls and IPS devices can fail during an attack.
For example, sockstress DDoS attacks, which open sockets to fill the connection table, can
overwhelm both firewalls and IPS devices.
Protect Your Business from the DDoSThreat
A complex threat like DDoS requires a layered security solution. First, enterprises must
protect themselves from volumetric and state-exhaustion DDoS attacks, which can saturate
their Internet connectivity by utilizing the cloud-based protection services offered by some
Internet Service Providers or Managed Security Service Providers; second, they must have
protection from application-layer DDoS attacks using a perimeter-based solution. Moreover,
a perimeter-based solution empowers enterprises by enabling them to take control of their
response to the DDoS threat.
Cloud-Based DDoS Protection
Enterprises must work with upstream ISPs and MSSPs to have protection from large flood
attacks. Because a large percentage of DDoS attacks remain volumetric or flood attacks,
enterprises should demand clean pipes from their providers.
Perimeter-Based DDoS Protection
Arbor Networks’ Pravail Availability Protection System (APS) has been developed to meet the
DDoS threat, protecting other perimeter-based security devices and infrastructure from the
impact of attacks.With the sole purpose of stopping availability threats, Pravail APS provides the
ability to detect and block application-layer,TCP state-exhaustion and volumetric attacks.Utilizing
a combination of mechanisms,including the real-timeATLAS Intelligence Feed,Pravail can protect
and resolve the most complicated DDoS attacks.However,as it is a perimeter solution,it cannot
deal with attacks that saturate Internet connectivity;to deal with these attacks,we need to utilize
cloud-based protection and the Pravail APS can automatically request this using Arbor’s Cloud
Signaling protocol, ensuring complete protection from complex, multi-vector threats.
Out-of-the-Box Protection
In many cases, the deployment of a new security device necessitates tuning and a lengthy
integration process. Pravail APS has been developed to give administrators the ability to install
the product and immediately stop any attacks with minimal configuration.Although protection
for common DoS/DDoS attack types is automated, there are manual configuration options
available for advanced users.The ATLAS Intelligence Feed (AIF) also provides information to
11. Why Anti-DDoS Products and Services are Critical for Today’s Business Environment
11Frost.com
the device on emerging attack vectors so that they can be dealt with automatically. Pravail APS
provides real-time reports on attacks, blocked hosts and service traffic.Administrators will be
able to better understand the nature of their traffic and any attacks that target their services.
Advanced DDoS Blocking
Pravail APS meets the challenge administrators are increasingly facing in dealing with DDoS
attacks. Using a variety of counter measures, Pravail APS detects and puts a stop to DDoS
attacks, especially those that are difficult to detect in a cloud environment.
BotnetThreat Mitigation
Backed by the Arbor security research team, Pravail APS receives updates of new threats
automatically, without software upgrades.This is done through the AIF.These threats can then
be proactively blocked before they impact services.
Cloud Signaling
Pravail APS provides a comprehensive solution to efficiently detect and stop all DDoS attacks,
as it enables a tight integration between the perimeter and cloud-based services via cloud
signaling.To this end,Arbor has launched the Cloud Signaling Coalition with a long and growing
list of ISPs and MSSPs, who stand ready to receive cloud signals from Pravail APS.
THE FINAL WORD
It is clear that DDoS attacks are continuing to increase in both size and complexity.Furthermore,
the motivations behind attacks have also broadened to include ideological hacktivism and
Internet vandalism.This has put everyone from social networks to governments at risk of attack.
The number of DDoS attacks continues to increase, and DDoS remains a growing threat.
Administrators need to understand that traditional security devices are not enough to protect a
network or the services it provides.Trying to extend the capabilities of these products to defend
against DDoS attacks has proven to be ineffective. It is important to note that these products
are essential for an organization’s defense system, but a product for protection against DDoS
attacks,on-premise and in the cloud,is very different.Enterprises must have the right perimeter-
based product but must also have the right solution in the cloud.The icing on the cake is being
able to unite the perimeter and cloud solutions in a seamless and automated manner.
12. 877.GoFrost • myfrost@frost.com
http://www.frost.com
ABOUT FROST & SULLIVAN
Frost & Sullivan, the Growth Partnership Company, partners with clients to accelerate their growth.The company’s
TEAM Research, Growth Consulting, and GrowthTeam Membership™ empower clients to create a growth-focused
culture that generates,evaluates,and implements effective growth strategies.Frost & Sullivan employs over 50 years of
experience in partnering with Global 1000 companies,emerging businesses,and the investment community from more
than 40 offices on six continents. For more information about Frost & Sullivan’s Growth Partnership Services, visit
http://www.frost.com.
For information regarding permission, write:
Frost & Sullivan
331 E. Evelyn Ave. Suite 100
MountainView, CA 94041
SiliconValley
331 E. Evelyn Ave. Suite 100
MountainView, CA 94041
Tel 650.475.4500
Fax 650.475.1570
San Antonio
7550 West Interstate 10, Suite 400,
San Antonio,Texas 78229-5616
Tel 210.348.1000
Fax 210.348.1003
London
4, Grosvenor Gardens,
London SWIW ODH,UK
Tel 44(0)20 7730 3438
Fax 44(0)20 7730 3343
Auckland
Bangkok
Beijing
Bengaluru
Bogotá
Buenos Aires
Cape Town
Chennai
Colombo
Delhi / NCR
Dhaka
Dubai
Frankfurt
Hong Kong
Istanbul
Jakarta
Kolkata
Kuala Lumpur
London
Mexico City
Milan
Moscow
Mumbai
Manhattan
Oxford
Paris
Rockville Centre
San Antonio
São Paulo
Seoul
Shanghai
SiliconValley
Singapore
Sophia Antipolis
Sydney
Taipei
Tel Aviv
Tokyo
Toronto
Warsaw
Washington, DC