Professional Documents
Culture Documents
Introduction
You have only to scan news headlines to be aware that Distributed Denial of Service (DDoS) attacks arent
going away anytime soon. In fact, if anything, they are gaining momentum as a way for cybercriminals and
hacktivists to make political statements and create a wake of destruction that includes damaged reputation,
lost business and financial losses for their victims. And they are unpredictable in nature.
In their April 2012 report Entering the Next Phase of DDoS Defense, Stratecast researchers revealed that
DDoS attacks are increasing in number by 20% - 45% annually; with application-based DDoS attacks in
particular increasing by triple digits. Correspondingly, they found that attacking via DDoS is one of the most
prominent tools used by the hacker community, many times as part of a multi-technique attack strategy.
Michael Suby, vice president of research at Stratecast states:
For Website operators that have not yet given the risk and business impact of DDoS attacks serious
consideration, this is perilous ignorance. Although there is no guarantee an attack will occur, there is also no
guarantee that an attack will not occur. What can be stated with certainty is that the probability of a DDoS
attack is rising. Furthermore, when consideration is given to the use of botnets to perpetrate DDoS attacks, the
increasing number of independent Internet-connected appliances and growth in machine-to-machine Internet
interactions, this probability is marching toward a certainty.
Starting out as simple denial of service assaults launched from a single computer, DDoS attacks have emerged
with the proliferation of botnets and evolved into one of the most significant and prevalent threats on the
security landscapea trend Verizon calls in its 2012 Data Breach Investigations Report more frightening than
other threats, whether real or imagined.
DDoS attacks have gradually become very sophisticated. Beginning with targeted attacks on organizations
critical infrastructure, such as DNS, in the early 2000s, they grew to include thousands of non-spoofed botnet
machines making legitimate connections in the late 2000s. Today, they utilize powerful servers with tremendous
CPU power and bandwidth at their disposal for socially engineered attacks. As the use of such servers to
obfuscate this next generation of more targeted attacks is becoming common place, traditional mitigation
methods used by service providers are proving increasingly ineffective.
As with most attacks, the assault often originates by an attacker successfully exploiting a vulnerability to
compromise one computer, which then becomes the DDoS robot under the control of a hacker or hacking
group. Just like an army general, the master computer recruits its infantry by communicating with and
subsequently infecting other systems, building an established botnet with a formal command and control
system.
At the discretion of the bot operator, the master computer instructs its army of infected computers to launch an
attack, resulting in a massive packet assault against its intended target. Overwhelmed with service requests,
the victim computer is forced to go offline as it succumbs to the attack. Alternatively, it will experience serious
degradation in performance and subsequently service, just as if it had gone offline.
Organizations are now increasingly targeted by application-layer DDoS attacks. In that case, the attack targets
the application service itself. While it was only a few years ago that a DDoS attack primarily targeted networks
using low-level protocol attacks such as PING, Smurf and different worms, todays attacks are targeting
specific web applications in more sophisticated manners. Attackers use legitimate requests to overload
the server. More sophisticated DDoS attacks come after site reconnaissance to understand which request
creates the most CPU-intensive SQL query to the backend database. Other attacks can try to manipulate
server memory, writing to hard disks and server-specific attacks. As described in the 2012 Verizon Data
Breach Investigations Report, several high profile application-layer DDoS attacks hiding behind volumetric
attacks were used to obscure data theft efforts, proving the theory of the use of multi-vector attacks to hide
the true target of the attack.
The costs of a DDoS attack can add up quickly. In addition to lost revenue for every minute of downtime,
organizations have to endure costs related to IT analysis and cleanup, such as increased operations expenses,
added help desk personnel to deal with inquiries and enhanced recovery efforts. Losses also include worker
output, which suffers while the systems are inaccessible and lost business and customers. Additionally, many
businesses face financial penalties from broken Service Level Agreements.
For those businesses that depend on uptime, such as banking and e-commerce sites, any amount of
disrupted service affects revenue. To that point, the April 2012 Stratecast report documents that incidents of
DDoS attacks on e-commerce companies escalate during the period when Website disruptions will cause
the greatest economic harmthe fourth quarter of the calendar year. But while financial services and online
commerce stand the most to lose, DDoS attacks can indubitably badly impact all industries.
That continuous learning and retuning of policies is vital when defending against DDoS threat because
Website functionality is never static, and as such attackers target all vectors in an attempt to gain entrance
into a victims network. FortiDDoS appliances continuously update their generic set of policies to stay on top
of threats at all levels, regardless of their origination. Both learning mode and generic policy updates work in
parallel to serve as part of a comprehensive, multi-layer defensive strategy.
FortiWeb Combining both Web Application Firewall and sophisticated DDoS protection
capabilities in a single platform, FortiWeb delivers Web and application server protection and
features a transparent challenge/response approach to identify legitimate requests.
The appliance uses both network and application layer protection mechanisms to identify requests from
legitimate users and block access to attacks originating from clients associated with botnets. FortiWeb thus
blocks threats that target apps and Web services infrastructure, such as HTTP GET/POST requests, Slowloris,
SQL injection among others. Sophisticated attacks are blocked using a multi-layered security approach.
The deployment positions for FortiGate and FortiWeb are slightly different from FortiDDoS. Most commonly,
organizations enable DDoS protection on a FortiGate that connects a private or DMZ network to the Internet.
This is a good option for protecting branch or remote offices that are outside the core DDoS security of an
organization. Centrally, FortiDDoS is typically positioned before a firewall such as FortiGate and is intended
to protect the network infrastructure as well as the security infrastructure. FortiWeb, on the other hand, is
deployed before servers and designed to protect against malicious access to the servers and spreading
malware onto the servers. The solution allows organizations to protect against application-level attacks
targeting the Web application and web services infrastructure.
Implementing Visibility
Organizations need a way to maintain vigilance and monitor their systems before, during and after an attack.
Its no secret that having a holistic picture into the IT environment allows administrators to detect aberrations
in network traffic and detect attacks quickly, while giving them the intelligence and analytical capabilities to
implement appropriate mitigation and prevention techniques. The best defenses will incorporate continuous and
automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic
be detected.
The FortiDDoS product line offers granular visibility and control, so IT administrators have a comprehensive view
into the entirety of the network. That visibility into network behavior helps administrators get to the root of the
attacks cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators
the ability to conduct real-time and historic attack analysis for in-depth forensics. Plus, advanced source tracking
will further propel defensive efforts by pinpointing the address of a non-spoofed attack and will even contact the
offenders domain administrator.
The FortiDDoS Network Behavior Analysis (NBA) system along with Fortinets FortiAnalyzer centralized reporting
appliances provide real-time visibility into Internet facing networks, containing capabilities that prevent network
behavior anomalieseven DDoS attacksfrom getting inside the organizations perimeter. That extended visibility
enables IT administrators to create easily customized reports garnered from security events, network traffic, Web
content and messaging data in search of any signs of DDoS threats or other suspicious traffic.
For an effective DDoS protection, FortiDDoS includes two key components: advanced virtualization and
geolocation technologies.
FortiDDoS provides network segregation and virtualization capabilities, which allows organizations to
seamlessly accommodate a multitude of different platforms and environments simultaneously with one
appliance. With FortiDDoSs virtualization feature, policy administrators can establish and oversee up to eight
independent policy domains in a single appliance, which prevents attacks delivered in one network segment
from impacting other network segments. The virtualization feature also helps to reduce the need for replicated
network segments. And virtual instances can also be an effective mechanism in defense escalation. Rather
than relying on a single set of policies, IT administrators can define multiple sets in advance, which create
the ability to apply a more stringent set of policies if the previous ones happened to be inadequate. In
addition, FortiDDoS appliances apply a virtual identifier (VID) concept for both powerful and cost-effective
multi-tenancy, avoiding the need for implementing multiple DDoS appliances.
The FortiDDoS geolocation technologies allow organizations to block malicious traffic coming from unknown
or suspicious foreign sources. Specifically, the appliances can block traffic based on geolocation through
efficient hardware logic, and, when used judiciously, can also be used to reduce load and energy consumption
on the backend servers by eliminating traffic from regions outside the organizations geographic footprint and
market.
The FortiDDoS appliances also put control of bandwidth right where it should bein the hands of IT
administrators. Bandwidth management capabilities allow IT administrators to stay on top of policies while
predefining usage to customers, employees or contractors. And header and state anomaly prevention
technologies ensure a clean pipe, that allows FortiDDoS to instantly block dark address scans and prevent
the outbreak of worms and other stealthy activity. In addition, line-rate granular ACLs power FortiDDoS to
protect infrastructure from unwanted traffic in the data center. The combination of these capabilities with the
heuristic and behavioral detection features provided by FortiDDoS enables a powerful defense against even
the most complex DDoS attacks.
Another key and unique element is that FortiDDoS defense mechanisms apply granular custom-built hardware
logic designed specifically for DDoS attack mitigation. That granular technology is contrasted with competing
DDoS appliance manufacturers that offer DDoS features built on top of existing IPS infrastructure.
Finally, because no one organization or network is alikeor has the same needs, Fortinets FortiDDoS product
family offers solutions that can be tailored to vertical and market segment, with various appliance models to
address the organizations size, users and bandwidth specific requirements.
n
n
n
n
n
n
FortiDDoS-200A
n
n
n
n
n
n
FortiDDoS-300A
n
n
n
n
n
n
Conclusion
For many organizations, large and small, the specter of DDoS attacks is daunting at best. News media
reports that detail the latest assault on governments and corporations prompt users to wonder who the next
victim will be, and when the next attack will occur.
Unfortunately, organizations can expect DDoS attackslike other security threatswill only continue to grow
and be more prolific in the future.The evolving nature of DDoS technologies will require organizations to make
a paradigm shift that entails greater foresight and more proactive defenses.
Therefore, organizations need to ramp up their response plans and assess their network infrastructure vis-vis DDoS threats today. They need to start by bolstering defenses for critical servers and prioritizing data. They
also need to implement management and monitoring capabilities to give them a comprehensive understanding
of their whole network. Finally, IT administrators should be able to implement fail-safe measures that quickly
identify the source of the threat, minimize the impact of the attack, and restore service as soon as possible.
Protection against the unknown has always been a challenge. However, with the advanced techniques utilized
within the Fortinet product range, IT administrators can be assured of the highest possible level of protection
for today and the future.
About Fortinet
Fortinet is a global provider of high-performance network security solutions that provide our customers with
the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies,
combined with our FortiGuard security intelligence services, provide the high performance and complete
content protection our customers need to stay abreast of a constantly evolving threat landscape. More
than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service
providers and governments - are utilizing Fortinets broad and deep portfolio to improve their security posture,
simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to
the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect
the constantly evolving networks in every industry and region around the world.
FortiGuard Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet
Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats.
Subscriptions include antivirus, intrusion prevention, web filtering, antispam, vulnerability and compliance management,
application control, and database security services.
FortiCare Support Services provide global support for all Fortinet products and services. FortiCare support enables
your Fortinet products to perform optimally. Support plans start with 8x5 Enhanced Support with "return and replace"
hardware replacement or 24x7 Comprehensive Support with advanced replacement. Options include Premium
Support, Premium RMA, and Professional Services. All hardware products include a 1-year limited hardware warranty
and 90-day limited software warranty.
AMERICAS HEADQUARTERS
EMEA HEADQUARTERS
APAC HEADQUARTERS
www.fortinet.com
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics
contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments
and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited
to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.